incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benson Margulies <>
Subject Re: key signing
Date Mon, 08 Oct 2012 15:53:40 GMT
On Mon, Oct 8, 2012 at 11:43 AM, Marvin Humphrey <> wrote:
> On Mon, Oct 8, 2012 at 7:36 AM, Branko ─îibej <> wrote:
>> What guarantee do you have that a particular Skype ID is whoever you
>> think it is? None at all, unless the person involved looked at your
>> Skype contact list and said, yeah, that's me. Likewise for Google
>> Hangout. As long as they're doing that, they might as well verify the
>> signature fingerprint in your PGP keyring.
>> In this respect e-mail is just as secure, so why don't we all just sign
>> keys because someone claiming to be from from Chad sent us a mail asking
>> us for a signature?
>> Really.
> Is it your position that this excerpt from the GnuPG docs is wrong?
>     This may be done in person or over the phone or through any other
>     means as long as you can guarantee that you are communicating with
>     the key's true owner.

There's another side to this, which I would derisively label, 'so
what'? How does it help a user to see that my key is signed by 27 of
my fellow Apache contributors, if the user has never met any of us,
and has never met anyone who has met any of us, etc, etc. In other
words, the Web of Trust only helps users (very much) if they are
active participants, and likely to have trust links that reach ASF
release managers.

In my opinion, that's vanishingly unlikely, and so the best we can do
is to allow users to verify that the signature was, in fact, made by
the 'Apache hat' that it claimed to be made by. Using the keys in
KEYS, or the fingerprints from LDAP, seems the best they can do.

> Marvin Humphr
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message